Am I on the verge of my first bug found?


#1

Ok I am a total noob but believe I may have found something and need an experts hunters tip/advice

I have been testing a search parameter on a program the result all double quoted eg
your search for “example” is not found
however

by inserting some javascript i managed to generate a dynamic link
eg

your search for "http://example.com was not found but the url is now a hyperlink, however, I cant click on it.

So I’ve experimented a little further and found if I enter the URL via a HTML tag
eg

click here” the url is created within the double quotes and click here is clickable

my question to you geniuses is this a vulnerability in itself I should report if not what type of further investigating do I need to do.? eg should I be looking at open redirects reports etc etc I would like to solve this my self if possible. sorry if I am not making sense but I feel I’m on the cusp of my first find and am sure you have all been here before. Please help guys


#2

Hi,

The payload you are sending it’s via POST (goes in the document body) or GET (goes in the URL)? If it’s GET and you can insert HTML tags like <a > try to add a event like onmouseout, onclick, onmouseover, etc. For example try something like <a href=“https://whatever.com” onclick=“alert(document.domain)”>click me please</a>. Don’t forget to check the source code of that web page to see how and where the website is rendering your payload. You can check the BruteLogic’s blog for more information about events and XSS in general. (https://brutelogic.com.br/blog/xss101/)

Good luck and happy hunting!


#3

Thanks for responding @gamliel_infosec itt was GET request. I don’t really want to say too much for fear of breaking disclosure rules. I tried similar payloads to what you described and found it was just appending the url to the sites url. I tried messing around and found some other bug which I have since reported (its not on this program ) I fully appreciate you sharing your knowledge


#4

Sorry @merlinwhite16, I don’t really understand the vulnerability. If you still have issues to exploit it let me know, maybe I can help.


#5

ah, its ok thanks @stefanofinding , I figured it out in the end, it was a duplicate report. I missed it by 13 days so was unlucky that time and thanks for offering assitance


#6

I’m glad to know you figured it out.